[Pdns-users] Recursor: Black list

Ciro Iriarte cyruspy at gmail.com
Sun Oct 26 04:47:31 UTC 2014

2014-10-26 1:17 GMT-03:00 Ciro Iriarte <cyruspy at gmail.com>:
> 2014-10-20 15:12 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
>> On Mon, Oct 20, 2014 at 02:09:05PM -0300, Ciro Iriarte wrote:
>>> 2014-10-20 13:29 GMT-03:00 Robert Mortimer <robm at scramworks.net>:
>>> > Hi,
>>> >
>>> > Just to add a bit less light, we implemented this sort of thing about 5 years back
>>> > and now with the aid of a small script have a solution which is fully RPZ
>>> > compatable. Using PDNS recursor and LUA, which can hadle an RPZ feed of about four
>>> > thousand records and around 5,000 QPS. We did stress test briefly with a 11,000 item
>>> > RPZ feed.
>>> >
>>> > As said no need to restart when it updates just do a LUA reload. Hopefully I
>>> > should be able to release what we did soon - am waiting for permission from our
>>> > legal types.
>>> >
>>> > Really not sure if that helps any, except to say it's very doable and can be
>>> > quite stable.
>>> >
>>> >
>>> RPZ seem really interesting, and I see there was a request for it in
>>> the past*. The thing is, we have direct requests from local government
>>> agencies to ban some domains with legal issues (mandated by a judge
>>> for example), and we were just approached about being able to block
>>> sites from the Internet Watch Foundation black list also (with their
>>> own landing page). Both cases will be redirected to different sites,
>>> and each has its own data source. Currently on bind we just define the
>>> domain as authoritative and it's kind of a hassle.
>>> Also, I thought about adding some helpful LUA bits to report date/time
>>> or the client's IP address, but from what I understood, only one LUA
>>> script can be added to the recursor, maybe a super monster script
>>> could be able to achieve all that.
>>> Ref:
>>> * http://mailman.powerdns.com/pipermail/pdns-users/2012-December/009451.html
>>> Regards,
>>> --
>>> Ciro Iriarte
>>> http://iriarte.it
>>> --
>> Hi,
>> I would use a single Lua script for all of it. I am trying to find my
>> sample using CDB to post.
>> Regards,
>> Ken
> Hi!, got a proof of concept script that successfully does the CDB
> lookup, but I'm curious about the CNAME answers, how can I call
> another resolution iteration to find the A record for the final
> destination?
> Currently I can only answer a CNAME record, and any attempt to reach a
> website for example will fail with "Couldn't resolve host".
> Regards,
> --
> Ciro Iriarte
> http://iriarte.it
> --

Answering to myself, found the followCNAMERecords return option. It
works to look for a regular A lookup from the CNAME result. It doesn't
cover the case were out overwritten answer should also be blocked (the
LUA script is not run on that iteration).

Should that case be covered?, is there other return code that will
trigger the LUA script again for the CNAME follow up?

Ciro Iriarte

More information about the Pdns-users mailing list